How the new Game Genie lets you hack your PS3 saves

Or: Editing hexadecimal values for in-game fun and profit.

Believe it or not, the highlighted value there is key to unlocking maximum health in a Dead Space 2 save file.

Hyperkin

The newest, PS3-based incarnation of the Game Genie doesn’t share much of a lineage with the original line of similarly named, cartridge-based cheat devices nearly ubiquitous in the 8- and 16-bit eras; manufacturer Hyperkin picked up the rights to the name when Galoob’s original trademark recently lapsed. It doesn’t share exactly the same functionality as its namesake either. While the old Game Genies actively patched the ROM code being loaded from the game cartridge, the PS3 Game Genie is actually just a computer program that lets you decode and modify PS3 save files stored on a standard USB stick.

But one thing the old and new Game Genies share is the ability for a determined, patient hacker to create their own cheats by diving in to the vagaries of the hexadecimal code. While most users will probably be satisfied clicking checkboxes to activate pre-built cheats like maximum health and full game unlocks (just like most users of the original Game Genie were satisfied copying down codes from the included booklet or game magazines), the Game Genie software also offers an Advanced mode that allows for more direct save file manipulation.

The Game Genie documentation doesn’t offer much guidance on how to use this advanced editing option, so I reached out to Hyperkin Project Manager Wayne Beckett (a veteran developer of previous cheat devices like the Action Replay and Game Shark) to explain the basics of how the PS3 save file hacking works.

Breaking the encryption

While the interface the Game Genie uses for its save file hacking looks like a simple hexadecimal file editor, the software actually conceals a lot of behind-the-scenes work needed to make those files editable in the first place. "If you take a hex editor like Winhex on your PC and you open a PS3 save, the only thing you're ever going to do is break it,” Beckett said. That’s because those save files are protected by “encryption, compression, checksums, second level encryption, and so on,” he explained.

“So we basically make all of that invisible to the user. We'll actually decode the save on our server, then we'll send it to you, and then you make the changes, then we'll re-encode the save and send it back,” he said. (This process also makes it possible to re-encode a save file with the profile from another PS3 system, letting you easily transfer saves between hardware).

Unfortunately, this means that the Game Genie only works with a selection of about 70 PS3 games that Hyperkin has gone to the trouble of figuring out how to decrypt and decompress to be directly editable (the company is working to expand that list going forward with automatic online updates). Beckett said the involved process of unlocking the specific save format for a single game can take days or even weeks, especially for complicated files like those found in Skyrim or Max Payne 3.

To prioritize which games go through the process first, Hyperkin keeps track of player sentiment through Facebook and e-mail to figure out which games people want to cheat on the most. "Sometimes the most popular games aren't necessarily the games people want to most cheat on," Beckett said. “The ones people typically want to most cheat on are typically the hardest games. It's not exactly what you'd expect."

The memory hunt

Enlarge/ Don't want to hack yourself? You can activate plenty of pre-loaded cheats just by clicking a checkbox.

Hyperkin

For some of the games that Hyperkin has unlocked, editing the save file is a relatively straightforward process. Capcom’s Dragon's Dogma, for instance, stores the raw save data as a human-readable plain text file, making it simple to find the specific values you want to edit. For the vast majority of saved games, though, the save file you get back from Game Genie’s decryption process is just a wall of hexadecimal values (and perhaps a few stray human-readable ASCII variable names) that’s going to look like gibberish even to an experienced programmer.

One of the best ways to figure out which brick to chip away at in that hex wall is to cross-reference a couple of different saves for some known values, Beckett said. Say you have one save file where a character has 325 gold pieces, for example, and another where he has 500 gold pieces. If you search out all the memory locations with a hexadecimal value of “325” in the first save file, and those with “500” in the second file, you’ll likely find at least one location where the values seem to overlap. That provides a good clue as to where the “gold value” variable is being stored in the save file.

Your right to hack

The Game Genie name doesn’t exactly have a sterling reputation, as far as some first-party console manufacturers are concerned, at least. Back in the early ‘90s, Nintendo actually sued Game Genie maker Galoob, alleging the modifications the device made to its games and system amounted to copyright infringement. The case took the Game Genie off the market for a time, but Galoob eventually prevailed. In the process, the case set a precedent for a user’s right to modify their own technological property for personal use.

“Basically Nintendo said, 'we don't like this product and we're going to sue,' [but] the fact that Nintendo didn't like it wasn't enough, because it wasn't illegal,” Beckett said. “At the end of the day it's your save... if you buy a car you can make certain modifications to that car.”

That doesn’t mean Hyperkin is out to antagonize Sony by letting players gain unearned PS3 trophies or an unfair advantage in online play. Those kinds of things are pretty much impossible with the Game Genie, anyway, since editing a local save file can’t alter the server-side player statistics maintained by the publisher. Still, Beckett said they keep an eye out for things that might affect online gameplay and purposely leave them out of pre-loaded code lists.

While Beckett expects that the new Game Genie will “will mildly irritate Sony,” he was adamant that hacking your own, single-player save files is a basic right. "The games companies don't have a right to dictate how you play your game. If you want to fast forward through a DVD and watch the second half or the ending, as long as you bought the DVD, it's your right to do that."

Performing these kinds of searches with the Game Genie software is relatively simple, thanks to a “find” function that automatically converts decimal values to hexadecimal. Unfortunately, the software doesn’t provide much help in comparing those discovered memory locations across two different save files. The program doesn’t provide the opportunity to run a simple “diff” operation between two different save files, which would make it relatively simple to see which memory locations are being changed between two largely similar saves states (Beckett said they hope to add this feature in the future). It’s not even possible to copy the raw data out to your own more powerful hex editor to find those differences for yourself, or to open two save files side by side to do a direct visual comparison. The only option is to copy down the memory values by hand and compare them that way, a tedious and laborious process.

Once you’ve found the key memory location, though, it’s just a matter of editing it to whatever hexadecimal value you want (Beckett noted that most experienced hackers have memorized the hexadecimal value for 9,999,999 for this very reason). It may take a few trial-and-error passes to figure out exactly how extensive the edits should be (does the gold value take up 8 bits or 16 bits, for instance?) but the Game Genie backs up the original saves, so you don’t have to worry about screwing up your save file permanently.

The master of unlocking

What about cheats that don’t have a distinct numerical component, like those that unlock hidden characters or levels? Beckett said these are going to be harder for an average user to suss out for themselves—Hyperkin uses its own more advanced tools to figure out which precise bits control these elements of the save file. But at-home hackers have a chance to discover these kinds of things on their own simply by making some educated guesses.

“You could do it, especially if you see some of our codes,” Beckett said. “If you look around [the memory locations for known codes] and modify the bits immediately above and below, there's a very good chance there's something interesting around there, so that's another trick you can use.”

That kind of hunting can even unlock things that the developer had probably intended to remain totally hidden, as Hyperkin found out for itself when it unlocked a previously unknown “god mode” in the save file for Castlevania: Lords of Shadow. “It was probably a god mode that was built-in and probably left in for the developers, I guess, to give to magazines for reviews and things like that,” Beckett said. “That's something they probably never expected us to find it, but we have found it and we've unlocked it."

Unearthing your own gems in the mess of hex values that is a PS3 save file is largely just a matter of putting in the time to try things out and see what happens. “Some people come up with some quite amazing codes just by trial and error, and they've got a lot more patience than I have, let's put it that way,” Beckett said. “The main [strategy] is just to change the value and just look for places that have changed, especially when it's an actual numerical value, they're the easiest ones to look for. You just have to sort of go in and be a bit nosy, and look for information that will give you clues..."

Promoted Comments

Man, reminds me of messing with DeHackEd back in the day on Doom. Nothing funnier than making Imps throw Imps instead of fireballs, and then watching the imps either start fighting each other, or crash the game as thousands of imps spawn.

For me (pc gamer) console gaming is almost always single player or multiple people sitting in front of the same TV. I'm totally fine with this kind of device to be available. Sometimes you know where that secret unlock is but it's just a serious pain to do something over and over and over until you get it just right to collect the item (especially when the game engine isn't perfect). Console games to me are about the fun of playing the game.

Meh, enabling cheats and being too easy ruins games. Turn up the difficulty, die some, and start having fun.

Quote:

inb4 Sony's firmware update disabling editable gamesaves...

Hopefully. If there's to be any integrity at all to the trophy system, people that use these methods need to have their accounts banned. Sony could almost certainly go after the GG people for DMCA violations if they wanted to. I'm usually for openness and letting people do whatever they want, but if your PS3 is connected to the PSN, what you do affects everyone else.

Very likely actually. Having people able to edit save files introduces the possibility that someone will find an exploit in a particular game that allows them to run homebrew. The first Wii hacks involved a bug in the save file reader for twilight princess.

While Beckett expects that the new Game Genie will “will mildly irritate Sony,” he was adamant that hacking your own, single-player save files is a basic right. "The games companies don't have a right to dictate how you play your game. If you want to fast forward through a DVD and watch the second half or the ending, as long as you bought the DVD, it's your right to do that."

As much as I'd like to agree with Beckett -- the DMCA would disagree with his statement since the saved game is encrypted.

We need stuff like this actually. I hate it that some devs can prohibit copying of save files(i.e. NFS Shift) and some save files are tied to a PSN account(which means they won't work on another rig, or will be limited in some other way - GT5, MK9).

I for one welcome the option of backing up our saves properly. I just wish it could be done easier (shame on you Sony).

edit: I mean at least those from which the account information can be stripped.

Man, reminds me of messing with DeHackEd back in the day on Doom. Nothing funnier than making Imps throw Imps instead of fireballs, and then watching the imps either start fighting each other, or crash the game as thousands of imps spawn.

Totally love this. Games are mean for entertainment. As long people get fun out of gaming. How people play the games are up to them. As long they don't cheat when play online. I think all games should have a build in cheat codes (ie. GTA. Just disable achievement/trophies) It increase game reply values. Sometime I just want to be godlike and rule all AIs. It is only a game.

We need stuff like this actually. I hate it that some devs can prohibit copying of save files(i.e. NFS Shift) and some save files are tied to a PSN account(which means they won't work on another rig, or will be limited in some other way - GT5, MK9).

I for one welcome the option of backing up our saves properly. I just wish it could be done easier (shame on you Sony).

edit: I mean at least those from which the account information can be stripped.

It's probably more likely that Sony will take the low road and disable all backups of save games... It'd be an easy way to circumvent this after all. If you can't get a save off the system, you can't use Game Genie.

While enterprising individuals could just remove the HD from the PS3 and plug it into a computer, Sony uses an encrypted UFS2 file system with the encryption key stored somewhere on the PS3, so good luck decrypting it unless you can get a custom firmware on it, or have a pre-3.21 PS3...

I'm willing to bet Sony is going to remove yet another feature from the PS3 to prevent this from happening.

Of course those with already modified consoles (CFW) don't need this and its too late for Sony to fix it. We've been able to FTP files to/from our PS3 and do what we want with them. It would seem Game Genie has been using modified hardware to figure this stuff out and make it easier to others to do. Moving the decryption to a different system is necessary since they can't install software locally unless its a modified PS3.

I've written lots of save state editors for NES/SNES games (played on the PC via emulators). His description of how to approach this problem is exactly the method I used to discover interesting bits to modify in the save state files. This is especially helpful if you just want to run through an RPG game again but want to skip the grinding aspects (I've beat all the ones I'm interested in on the real console ages ago). Nothing like completing one battle and watching your level go up +30 in one shot :-)

The RE of the encryption and compression is pretty impressive. For the end user, the editing is pretty strait forward reverse engineering. Finding the integers shouldn't be too bad (the same techniques can be used for finding cheats in emulators).Once they get a compare feature done, that should allow for some good differential analysis.I'm curious to look over some of this stuff, I'm curious as to the various strategies used to store the data. And the skills learned from picking apart these save files can actually be pretty valuable.

This might get some negative attention from companies that like to store their DLC on the disc. I wonder how easy it is to unlock all of those Street Fighter X Tekken characters with this tool?

If its only letting you hack "save files" then on disc dlc should be okay as long as it doesn't allow you to alter ps3 "game files". I don't believe save files have anything to do with execution files. Though if they figured out how to pull out the decryption method then there might be a problem.

Why does it have to send your file for decryption and encryption? What's the problem with doing it locally on the users machine? Even if things are rapidly changing, it's a PC program so downloading patches for modules is not a big deal.

Unfortunately I do think they're going to get sued and lose over the encryption portion, which will be very sad.

If the device can save a game in progress & load a saved game then gamesaves are readable & writable.If the gamesave is readable & writable and the device can decode it for use then the gamesave is editableIf the gamesave is editable then the encryption/compression is decodable.If the encryption/compression is decodable then GameGenie or similar device can make the raw file modifiableIf the raw file is modifiable the hacker community can document the save locations.

That last one is where crowdsourcing has been used for decades now with dedicated gamesave hackers publishing their finds

It is of course possible to lock gamesaves. You just need a special isolated memory that is only readable by firmware that that is installed in nonremovable ROMs. You also need to ensure that this custom firmware will fail if the modifiable firmware is modified (AKA no updates permitted). For this reason gamesave editing is likely to be available on all systems with updateable operating systems and of the remaining systems, any that can have ROMs added can be modified with extensions added via expansion boards.

Only if you care about trophy levels/gamerscore. It's a useless metric but plenty of people are proud of their 'cheevos, bro, and probably won't like the idea of someone getting free credit when they had to grind for 20 hours to get a trophy or 50G.

We need stuff like this actually. I hate it that some devs can prohibit copying of save files(i.e. NFS Shift) and some save files are tied to a PSN account(which means they won't work on another rig, or will be limited in some other way - GT5, MK9).

I for one welcome the option of backing up our saves properly. I just wish it could be done easier (shame on you Sony).

edit: I mean at least those from which the account information can be stripped.

It's probably more likely that Sony will take the low road and disable all backups of save games... It'd be an easy way to circumvent this after all. If you can't get a save off the system, you can't use Game Genie.

While enterprising individuals could just remove the HD from the PS3 and plug it into a computer, Sony uses an encrypted UFS2 file system with the encryption key stored somewhere on the PS3, so good luck decrypting it unless you can get a custom firmware on it, or have a pre-3.21 PS3...

Sony doesn't have to lift a finger: a game company can start checksumming save files and saving the checksums over an online service, requiring that the game be online to save local files and preventing Game Genie use. (Can that be hackable? Sure, but the mainstream players won't bother with it.)

Kyle Orland / Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in Pittsburgh, PA.